Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/48e49c78a460dc600e76ef739a2d6d9d914443cd (IndexedDB: Check for valid origin before binding).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

It appears in this clusterfuzz case that ReportBadMessage() isn't ready to be called:
https://cs.chromium.org/chromium/src/mojo/public/cpp/bindings/lib/message.cc?gsn=ReportBadMessage&l=509

(context DCHECK fails on line 509)

What's the right way to report a failed binding to the client?

+dmurph, jsbell FYI

+oksamyt whom I'm discussing this with offline

If the current stack is processing a Mojo message you should be able to call mojo::ReportBadMessage() but if you are running in a task posted from the message handler then you will run into this problem.

To simply fail the binding instead of reporting an error all you need to do is let the InterfaceRequest<> be freed and the pipe will be closed.

Thanks!

CL to fix is under review at https://crrev.com/c/1403351.

Also see issue 920406.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/142c53535abd878822fcabc14c2c5ee3a823f701

commit 142c53535abd878822fcabc14c2c5ee3a823f701
Author: Chase Phillips <cmp@chromium.org>
Date: Thu Jan 10 01:23:26 2019

IndexedDB: Skip ReportBadMessage() at bind-time

ReportBadMessage() requires a valid context which isn't supplied at
bind-time.  Instead, skip reporting an issue and early return which will
cause the request to be freed and the renderer-side of the pipe to be
closed.

Bug: 717812, 918493,  920185 , 920406
Change-Id: I4426765e42709e710f3f6d25957c6bb518ca4bcd
Reviewed-on: https://chromium-review.googlesource.com/c/1403351
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Oksana Zhuravlova <oksamyt@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Chase Phillips <cmp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621407}
[modify] https://crrev.com/142c53535abd878822fcabc14c2c5ee3a823f701/content/browser/indexed_db/indexed_db_dispatcher_host.cc
[modify] https://crrev.com/142c53535abd878822fcabc14c2c5ee3a823f701/content/browser/renderer_host/render_process_host_impl.cc

ClusterFuzz has detected this issue as fixed in range 621391:621408.

Detailed report: https://clusterfuzz.com/testcase?key=5481227624382464

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  context in message.cc
  mojo::ReportBadMessage
  content::IndexedDBDispatcherHost::AddBinding
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=620855:620856
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=621391:621408

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5481227624382464

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5481227624382464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.